The Cybersecurity and Infrastructure Security Agency (CISA) has added nine more security flaws to its list of actively exploited bugs, including a VMware privilege escalation flaw and a Google Chrome zero-day that could be used for remote code execution.
The VMware vulnerability (CVE-2022-22960) was patched on April 6th, and it allows attackers to escalate privileges to root on vulnerable servers due to improper permissions in support scripts.
A Chrome zero-day was also included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, a bug tracked as CVE-2022-1364 and allowing remote code execution due to a V8 type confusion weakness.
All Federal Civilian Executive Branch Agencies (FCEB) agencies must patch their systems against these security bugs after being added to CISA’s KEV list according to a November binding operational directive (BOD 22-01).
They were given three weeks to mitigate the flaws until May 6th to ensure that ongoing exploitation attempts would be blocked.
CISA added seven other security vulnerabilities to its catalog today, all of them abused in ongoing attacks.
| CVE | Vulnerability Name | Due Date |
| CVE-2022-22960 | VMware Multiple Products Privilege Escalation Vulnerability | 2022-05-06 |
| CVE-2022-1364 | Google Chromium V8 Type Confusion Vulnerability | 2022-05-06 |
| CVE-2019-3929 | Crestron Multiple Products Command Injection Vulnerability | 2022-05-06 |
| CVE-2019-16057 | D-Link DNS-320 Remote Code Execution Vulnerability | 2022-05-06 |
| CVE-2018-7841 | Schneider Electric U.motion Builder SQL Injection | 2022-05-06 |
| CVE-2016-4523 | Trihedral VTScada (formerly VTS) Denial-of-Service | 2022-05-06 |
| CVE-2014-0780 | InduSoft Web Studio NTWebServer Directory Traversal | 2022-05-06 |
| CVE-2010-5330 | Ubiquiti AirOS Command Injection Vulnerability | 2022-05-06 |
| CVE-2007-3010 | Alcatel OmniPCX Enterprise Remote Code Execution | 2022-05-06 |
On Thursday, CISA also added the critical VMware remote code execution bug (CVE-2022-22954), now used in attacks to deploy cryptominer payloads.
All US orgs urged to prioritize these security updates
Even though the BOD 22-01 directive only applies to US FCEB agencies, CISA also strongly urges all US organizations from the private and public sectors to give patching these actively exploited bugs a higher priority.
Taking this advice to heart should significantly decrease the attack surface threat actors can use in attempts to breach their networks.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” the US cybersecurity agency explains.
Since the BOD 22-01 binding directive was issued, CISA has added hundreds of flaws to its catalog of actively exploited bugs, ordering US federal agencies to patch them as soon as possible to block security breaches.
Source: www.bleepingcomputer.com